Sirefef spyware

[renw]

Hi there ,

A friend of mine has the Sirefef spyware. Removed it with many tools but it keeps coming back.

Could use some help Not sure where to start so if someone could assist me? That would be nice, thanks

[Asyn]

Please attach your/his logs.
http://forum.avast.com/index.php?topic=53253.0

[renw]

Yeah My bad , i just read that after posting 2 quick.

Is it ok to log in the forum from the infected computer? I've heard about password stealers so I dont want to take any risk. What do you suggest?

I'd use my usb flash drive but i'm afraid that might get infected aswell.

[renw]

Wanted to start te computer to get the logs, but I'm getting this BSOD :S

STOP: C0000135 The program can't start because %hs is missing. Try resintalling the program

Dont have any working recovery points

[Asyn]

Try to start in safe mode.

[renw]

Same problem. Also tried booting with the Win7 CD and try repair. Same problem.

Chkdsk doest work either. I've had this problem before when i tried to delete it, but i could always restore it with the system recovery. For some reason they are all gone now.

Does anyone know whats being edited when you delete the virus , by lets say, MS Security essentials?

Maybe I can manually restore it with a reg-editor or some other tool.

Thanks in advance

[Asyn]

As you already used "many tools", it's very hard to tell without any logs.
Maybe essexboy can help you, I'll inform him about this thread.

[renw]

I'll do my best to retrace my steps

First I looked in these forums for a case similar to mine.

I used ASWMBR to scan and it deleted some files :

c:\windows\system32\consrv.dll
C:\Windows\assembly\GAC_64\Desktop.in
C:\Windows\assembly\GAC_32\Desktop.ini

Combofix did the same.

Then I ran MBAM, which found files in my temp folder. (dont remember sorry )

After that I wanted to reboot and saw in a flash that Windows update was installing 2 updates.
After that I saw ( very quickly ) something about registry, windows rebooted and now I got this problem with the %hs thingy.

only recovery point i got is from the windows update, but when I try to restore that, it wont work.

[renw]

Managed to recover some MBAM logs, they found these :

C:\Windows\Temp\qvxqjy\setup.exe

HKLM\system\CurrentControlset\Services\AMService

Trojan vupx tp2 ( will be deleted on reboot )

C:\windows\Assembly\temp\twl.dll

pup.bitminer

hope its useful

[essexboy]

OK first lets try to get you rebooted

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.
 
Plug the flashdrive into the infected PC.
 
Enter System Recovery Options.
 
To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select English as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
  
• Select English as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[/list]

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[renw]

Managed to get in with editing the reg key : HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control|Session Manager\Subsystems

It was saying consrv instead of winsrv.

Now finally, here are the logs :-)

[renw]

ASWMBR log

[essexboy]

Was it hitmanpro that was the last tool used ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  SRV:64bit: - [2009-07-14 02:39:46 | 000,006,656 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\Windows\SysNative\SE26mdfl.dll -- (zpaction)
  NetSvcs:64bit: zpaction - C:\Windows\SysNative\SE26mdfl.dll (Oak Technology Inc.)
  [2012-02-18 13:13:38 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd
  [2012-02-07 13:45:54 | 000,000,112 | ---- | M] () -- C:\ProgramData\5V8tDVG.dat
  
  :Files
  ipconfig /flushdns /c
  C:\Windows\assembly\GAC_32\Desktop.ini
  C:\Windows\assembly\GAC_64\Desktop.ini
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Run the MSFixit on this page http://support.microsoft.com/kb/811259  (about halfway down)

[renw]

Yes I ran Hitmanpro in an earlier stage.

Logs comming up

[renw]

That destroyed my windows resulting in BSODs. Any other ideas ?